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Decision  Procedures  for  Elementary  Sublanguages  of  Set  Theory. 
VII.    Validity  in  Set  Theory  When  a  Choice  Operator  is  Present 

by 

A.  Ferro 

University  of  Catania  and  Courant  Institute 

and 

E.G.  Omodeo 

Enidata  -  Bologna 


1.    Introduction 

In  a  language  designed  to  formalize  set  theory,  it  is  useful  to  incorporate  a  primitive 
unary  operator  t)  about  which  one  postulates  that  t]s^s  and  TiJplj  =  4>  for  every  nonempty 
set  s.  The  existence  of  such  an  i\  implies  the  validity  of  both  the  foundation  (or  regularity) 
axiom  and  the  axiom  of  choice  (see  [8],  [9],  [10]).  Moreover,  in  automatic  theorem  proving 
the  introduction  of  such  an  operator  seems  to  be  the  most  natural  way  of  formalizing 
induction  proofs  in  mathematics  (cf.  [11]). 

In  this  paper  we  consider  an  unquantified  theory  whose  only  relators  and  operators  are 
=  (equality),  €  (membership),  [_J  (binary  union),  \  (set  difference),  t\  ;  in  addition  to  these 
symbols,  our  language  involves  the  usual  propositional  connectives  and  denumerably  many 
variables,  which  are  supposed  to  range  over  finite  sets.  (Apart  from  the  restriction  of 
considering  only  finite  sets  this  is  an  extension  of  the  theory  MLS  considered  in  [1]).  We 
show  that  if  we  impose  some  further  semantical  constraints  on  r\,  then  for  every  formula  p  of 
our  language  either  p  is  valid,  i.e.  true  under  all  possible  assignments  of  finite  sets  to  the 
terms,  or  some  of  these  assignments  makes  p  false,  independently  of  the  particular  choice  of 
1).  We  achieve  this  by  giving  an  algorithm  which  either  detects  the  validity  of  p  or  builds  a 
counterexample  of  p  (independent  of  p)  whenp  is  invalid. 

We  consider  also  the  language  in  which  the  symbols  [J  ,  \  are  not  allowed  (cf.  [2])  but 
in  which  variables  are  supposed  to  range  over  arbitrary  sets.    A  similar  completeness  theorem 


is  proven  under  weaker  assumptions  on  t|  by  giving  alternative  decision  method  applicable 
only  to  formulae  of  this  sublanguage. 

2.   Semantics  of  the  Choice  Operator  t\ 

If  we  simply  required  that  r]s(.s  and  n^P)  j  =  <j>  for  every  nonempty  set  s,  and  assigned 
some  default  value  to  -r]^,  then  the  usual  relationship  between  validity  and  satisfiability  can 
not  be  made  independent  of  the  particular  choice  of  the  function  r\.    For  example  the  formula 

•(]x^y&j\y(iX^T\x  =  i)y  (2.1) 

neither  is  valid,  i.e.  true  under  all  possible  assignments  of  (finite)  sets  to  variables,  nor  its 

negation  has  a  model  independent  of  t).   The  same  holds  for  the  formulas 

v(.w&w€iT)x^vix  (2.2) 

vC-r)x&vi=T\x^vix  (2.3) 

To  avoid  this  kind  of  problem  we  will  put  more  semantical  constraints  on  i).    More 

precisely  we  assume  that  for  some  well  ordering  <  of  all  sets  the  following  restrictions  are 

satisfied: 

Rq  t|<1>  =  4)  {empty  restriction) 

Ry  a:^4)->t1x€x  {choice  restriction) 

/?2  y^x-'r\x'^y  {minimality  restriction) 

R^  y(.x-'y<x  {regularity  restriction) 

■^4  {Xi,X2,...,x„}Cx  -{x,,    X2,  •  •  •  x„}<x    {finite  monotonicity  restriction) 

/?5  Xi,  .  .  .  .x„<yQ<yy,  .  .  .  ,y„  -{xp  ■  •  •  ,x„,y,,  .  .  .  ,y„}<  {yo.3'i.  •  ■  ■  .y^}  (antilexicographic 
restriction) 

From  /fj  it  follows  immediately  the  following 


:--'  n)0;2iC    'j-    P      "-  5  1 


LEMMA  2.1.    U  A,B  arc  finite  sets  then  either 

(i)   AQB  and  A  SB,  or 

(ii)   BCA  and   B^A,  or 

(iii)   A<B  if  and  only  if  max  (i4\S)<  max  (BSA). 

An  immediate  consequence  is  the  following 

/{g.    If  x,y,z  are  finite  sets  then 

Moreover  the  following  is  also  true. 

R-j   Let  A|<A2<  •  •  •  <A„  be  nonempty /mi/e  sets  which  are  pairwise  disjoint  then 

if  and  only  if 

in  the  antilexicographic  ordering. 

Indeed  assume  that  Ji</2<  •••<'*  and  j,<j2<  "  ■  "  <]„  ■    Clearly 

{/„/2.---'JcO-iJ2-Jm}-'4,^U'4/,U   ■  •  •  UAiCAj^U^J.U   ■  ■  ■  U^„  (2.4) 

and 

0"iJ2,...J„}C{.p.2.---''J--^,U^-,U  •  •  •  U^;„CA,.^U^.,U   •  •  •  U^v  (2.5) 

Therefore  if  one  of  (2.4)  and  (2.5)  holds  then  R-j  is  plain.    Otherwise  put  /  =  {/j,/2,--,'i}, 

J  =  {Ji,J2>---Jm}-  By  R^  and  by  Lemma  2.1  we  get 

lil  jiJ  i6/\J  JiAl 

<-»  max  (  U  '^i)<  ™ax  (  U  ^j) 


0 


^>.  <r.o;l-."jfS7  '^niv'i:.. 


«max  A  „3^  (;^<  max  A  ^^^  ^j^ 


*~^^  max  (tJ)'^^  max  (AO 


t-»max  (/V)<  max  (TV) 

which  completes  the  proof  of  R-j. 

3.    Consistency 

In  this  section  we  show  the  existence  of  a  function  t)  satisfying  restrictions  Rq-R^  (and 
hence  also  R^  and  R-j).   To  this  end  we  consider  the  Von  Neumann  hierarchy  of  all  sets. 

y„4.i  =  {j|jCV^}  for  every  ordinal  a 
V3=  [_J   V    for  every  limit  ordinal  3. 

It  is  well  known  that  we  can  consistently  assume  that  for  every  set  s  there  is  an  ordinal  o 
such  that  jCV„  ;  the  minimum  such  ordinal  is  called  the  rank  of  s  and  is  written  rank  s.  We 
define  a  well  ordering  of  all  sets  in  the  following  way: 

We  first  put  s<t  whenever  rank  s<  rank  t.  To  order  sets  having  the  same  rank  a  we 
proceed  by  induction  on  a.  Indeed  there  is  only  one  set  of  rank  zero,  namely  the  empty  set. 
Next  assume  we  have  ordered  all  sets  of  rank  less  than  o  and  let  j  and  t  be  two  sets  of  rank 
a.  If  5  and  t  are  both  infinite  we  put  s<t,  where  <  is  any  well  ordering  of  all  infinite  sets  of 
rank  a.  If  one  is  finite  and  the  other  is  infinite  then  we  make  the  finite  set  preceding  the 
infinite  set.  Finally  if  they  are  both  finite  we  order  them  antilexicographically  (this  makes 
sense,  because  by  the  induction  hypothesis  the  elements  of  s  and  t  have  been  already 
ordered).   This  completes  the  definition  of  a  well  ordering  "<"  of  all  sets.   Now  put 

•T)<j)  =  (|)  and  T)S=  the  least  element  of  s  with  respect  < 
It  is  immediate  to  verify  that  restrictions  R^Ji^  and  /Jj  are  satisfied.    Moreover  if  yix  then 

rank  (y)<   rank  (x).  This  shows  that  R^  is  also  satisfied.  Furthermore  if  {xi,X2,.--,x„}Cx  , 


•  '.  :i:.7orj 


.>A- 
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rank  {x^,X2,...,x„}=  rank  x  and  x  is  finite  then  by  the  antilexicographic  property  {jr,,j:2,...,j:„} 
<x.  This  yields  R^.  Finally  if  rank  (x,)s  rank  (yQ),i=l,...,n,  then  rank 
{xQ,Xi,...,x„,y^,  .  .  .  .y„}^  rank  {yo.yi.--.ym}-  This  shows  that/Jj  holds  completing  the  proof 
of  the  existence  of  a  function  ti  satisfying  all  the  conditions  Rq-R^. 

4.    Preliminaries  on  Multilevel  Syllogistic 

Multilevel  Syllogistic  (abbreviate  MLS)  is  the  unquantified  theory  whose  language 
consists  of 

variables  x,y,z,..., 

the  operators  U  ,  O  A. 

the  relators  €  ,=  . 

In  addition  to  these  symbols  we  can  use  the  usual  propositional  connectives  — 
,<t  ,V, -,•(-►.  Variables  are  supposed  to  range  over  arbitrary  sets  whereas  the  operators  and 
relators  are  interpreted  in  the  usual  set-theoretical  sense.  An  example  of  a  formula  in  MLS 
is  the  following: 

x^{y[Jz)&xiy^x(iZ. 
This  theory  was  shown  to  be  decidable  in  [1].    The  method  described  in  [1]  can  be  rephrased 

as  follows.   First  we  can  limit  ourselves,  without  loss  of  generality,  to  show  how  to  test 

satisfiability  of  any  finite  conjunction  Q  of  literals  of  the  following  type: 

(  =  )x  =  y\Jz,x  =  y\2 

(€,«)x€y,x«y 
To  describe  how  to  accomplish  this  we  need  some  definitions. 

DEFINITION  4.1.  A  place  a  of  Q  is  a  c|)/{<}>}  -valued  function  defined  on  the  variables 
appearing  in  Q  and  which  satisfies  all  literals  of  type  (=)  in  2. 


CTf;' ;2iddc  n£  ad  h'lv  y-- 


:  ^-  «v'.n J- 


Notice  that  there  are  only  finitely  many  places  of  Q. 

DEFINITION  4.2.  A  place  a  at  x  of  Q  is  a  place  of  Q  such  that  a(y)  =  {<}>}  (resp.  <^) 
whenever  x^y  (resp.  xly)  appears  in  Q. 

Let  ~  be  the  equivalence  relation  defined  by  x~y^a{x)  =  a(y)  for  every  place  a  of  Q. 
Partition  the  variables  of  Q  into  equivalence  classes,  pick  a  representative  x  in  each  class. 
{yy~x}  and  replace  each  variable  jc  in  2  by  its  representative  x.  Let  Q  be  the  resulting 
conjunction  and  let  Y  =  {y^,y2,---,ym}  be  the  set  of  all  variables  of  Q  . 

DEFINITION  4.3.  Let  F  be  a  set  of  places  of  Q.  Then  x~^y  will  be  an  abbreviation  for 
(V a €r)(a(x)  =  «(>>)).    The  following  states  the  decidability  of  MLS  [1]. 

THEOREM  4.1  Q  has  a  model  if  and  only  if  there  is  a  set  r  =  {aj,a2,  "  "  •  ,a„}  of  pairwise 
distinct  places  of  Q,  an  ordering  <  of  K/— ^  >  ''"^  a  function  F:{\,  ■  •  •  ,m}-{l,  •••,«}  such 
that: 

api^D    "  "  P^oce  at  y,  of  Q  for  every  /=  1,2,  •  ■  ■  ,m  (4.1) 

y-ryrPiO^FU)  (4.2) 

«/■(;)(>',)  =  {4>}-y,>y;  (4.3) 

(where  y  denotes  the  element  of  Y/~y-  containing  y). 

If  r,<,F  exist  in  such  a  way  as  to  satisfy  conditions  (4.1)  -  (4.3)  then  models  of  Q  can  be 
built  as  follows.    Choose  sets  (jjj=l,...,n.  Defining  My^  before  Afy^  whenever  y^<y^  put: 

Myi=    U^   U^>'*:«m)W  =  {*}*i-*-'"r-  (4-4) 

Complete  the  definition  of  M  by  putting  Mx  =  Mx  for  any  other  variable  of  Q.  Then  we  have 
the  following  basic  fact  [1]: 

THEOREM  4.2.  Formula  (4.4)  defines  a  model  of  Q  whenever  the  following  conditions  are 
satisfied 


.  .?.  )M  [.';;.■>  sw  ri;>:rv 

'■&    '.   .•^t     iJu    :-.';     V    •\s-''. 
•  •.ihi\  B  -'i    «.'>  ••■    M-.a'. 


(J ^(~^aj  =  ^  whenever  ii^j  (4.5) 

Myjiaj  for  every  i=\,...,m  and  j=l,...,n  (4.6) 

a-^<t>  unless  j  =  F(k)  for  some  k.  (4.7) 

5.    Decidability  of  Finite  Satisfiability  for  MLS  Extended  with  a  Choice  Operator 

We  extend  the  language  of  MLS  by  adding  a  new  unary  operator  i)  and  show  that  the 
following  completeness  result  holds  for  this  extended  theory  which  we  call  MLS-p. 

THEOREM  5.1:  For  every  formula  \\i  of  MLSt)  either  \\i  is  true  under  all  finite 
interpretations  (i.e.  interpretations  in  which  the  value  of  each  term  in  \\i  is  a  finite  set)  or  its 
negation  is  satisfied  by  some  finite  interpretation  independently  of  the  particular  choice  of  t) 
satisfying  restrictions  Rq  —  R^. 

We  prove  this  theorem  by  giving  an  algorithm  which  decides  if  — 1|*  has  or  not  finite 
models  and  in  the  positive  case  is  able  to  construct  a  finite  model  of  — \^  which  is  independent 
of  the  particular  interpretation  of  ti.  By  the  very  same  argument  used  in  MLS  we  can  restrict 
ourselves  to  consider  a  finite  conjunction  Q    of  literals  of  the  following  types: 

(=)    x  =  y\Jz,   x  =  y\z 

(e,e)    xiy,   xly 

ii))x    =    T\y 
Let  Q  be  the  set  of  statements  of  type  (=),(€,£)  in  Q^  and  let  2,,  be  the  result  of  replacing 

in  Q^  each  variable  by  its  representative  in  the  equivalence  relation  determined  by  all  places 

of  Q.    Let  Y={yi,y2,---,ym}  be  the  set  of  all  the  variables  appearing  in  Q^.  Our  main  result  is 

a  consequence  of  the  following  decidability  theorem. 

THEOREM  5.2  Q-  has  a  finite  model  if  and  only  if  there  exist  a  set  of  pairwise  distinct 
places  r  =  {a[,a2>-'°'n}  °^  Q  ''^^  a  function  F:{1.  .  .  .  ,m}-{l,  .  .  .  ,n}  such  that 

o.p^()  is  a  place  at  y,  of  Q  for   every  i=  1,2,. ..,m.  (5.1) 


r  f  -  I   . 


Lliw     f':': 


.r*'.  J 


^,/-.  ;3J 


Moreover,  let  <  be  the  ordering  on  Y/~^  defined  as  follows.    Put 

A,  =  0-:«,0',)=1} 
and  let  yi<yj  whenever  A;  precedes  Aj  in  the  antilexicographic  ordering  of  finite  sets  of  integers. 

Then  the  following  properties  must  also  hold 

«/-O0  (>.)  =  {*>->;<>;  (5.3) 

«;()',)  =  {<t>  }-;</=•(')  (5.4) 

If  yjt  =  t)yj  appears  in  Q^  then    either  a^()'y)  =  <j>  for  all  k=l,2,..,n  andyy~p>'^,  or    (5.5) 

"fo*) (>;)  =  {<<>}  and 

<^F(k)iyj)=W<yj'~  ry  k^yj'<yk)  (5.5. a) 

«,()->)  =  {<t>}-Vae€r(a^(y^.)  =  {<t>}-/<0  (5.5.b) 

Furthermore    if  conditions    (5.1)    -    (5.5)    are   all  satisfied   then   a  finite   model   of  Q      , 

independent  of  the  particular  choice  of  t]  ,  can  be  effectively  constructed. 

Proof.    Assume  that  2-q  has  a  finite  model  M  and  let  Afy, ,  .  .  .  .Afy,   with  l-^ij^m  be 

pairwise  distinct  sets  such  that  {My,  ....  ,My,}=  {My^,  .  .  .  ,A/y„}.    Let  A^,A2,...yA„  be  the 

nonempty    disjoint    parts    of    the    Venn    diagram    determined    by    My,  , ,My,  .     Assume 

A^<A2<  ■  ■  ■  <A„  in  the  well  ordering  of  sets  associated  with  t].    Let  a,,  .  .  .  ,a„  be  the 
places  of  Q  defined  by 

a.j{yj)  =  {<^}  if  and  only  if  A,CMyj. 
Put  F(i)  =  k  if  and  only  if  My,(:Ai^.  We  claim  that  r  =  {a[,  .  .  .  ,a„}  and  F  satisfy  conditions 

(5.1)  -  (5.5).    Indeed  conditions  (5.1)  and  (5.2)  are  immediate.    To  verify  the  remaining 

conditions  we  will  make  use  of  the  following 

LEMMA  5.3. 

y,~Y-yj  if   and    only  if  My,  =  Myj  (5.6) 

y,<yj  if   and    only  if  My^<Myj  in    the    well    ordering    of   all  sets  associated  with  ■x\.  {5.1) 


■:A  '■'  .:•■  \h 


•\     J.  ~'.-.      Ql'.i.     .     ■3:\>.t.     .     £■• 

^  ^   J  '  \. 

■W...  02l5    (C.2)   VV-. 

vV    u  >Mil     ..rVf;T- . 
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Proof.  (5.6)  is  plain  by  the  definition  of  the  places  a,.  Moreover  condition  (5.7)  is  an 
immediate  consequence  of  R-j  proven  in  Section  2. 

To  verify  condition  (5.3),  assume  that  a pf^j^iy ,)  =  {<i>}  then  MyjiMy^  and  by  R^  it  follows 
Myj<My,.  Applying  Lemma  5.3  we  get  yj<y,  which  proves  (5.3).  Next  we  verify  (5.4). 
Let  ay(y,)  =  {<j>}  ,  then  AjQMy^^Af^iy  By  R^  and  R^  we  have  A^<A/r(,^  and  hence  j<F(i) 
which  completes  the  verification  of  (5.4).  Finally  to  show  that  (5.5)  also  holds  assume  that 
yj»  =  T)yj  appears  in  Q^.  Since  Af  is  a  model  of  Q^  then  Myj.  =  i)Myj.  Thus  if  Myj=^  then 
Myj.  =  ^  and  by  Lemma  5.3  yj.  —  ^-yj.  Otherwise  if  Myj¥=(it  then  by  /?,  Myj.^Myj  and 
apfj,^(yj)={<i>}.  Therefore  if  a.fr^i^^(yj)  =  {<i>}  for  some  k  then  My^(.Myj.  By  /?2  it  follows  that 
Myj.-^My^  and  hence  by  Lemma  5.3  either  y^.  —  ry*  or  y;«<y*  showing  (5. 5. a).  Moreover  if 
o-,{yj)  =  {^}  then  ^i^A,QMyj.  If  follows  by  R^  that  My^,  is  less  than  or  equid  to  each  element 
of  A,.  By  applying  R-^  we  have  Myj.<A,.  Therefore  if  af(jj.)  =  {^}  then  A(<ZMyj,<A,  which 
by  i?4  gives  A(<A,.  This  yields  Kt  completing  the  proof  of  (5.5  b)  and  showing  that 
Theorem  5.2  holds  in  one  direction. 

Conversely,  assume  that  r  =  {ai,a2,  .  .  .  ,a„}  and  F  can  be  found  in  such  a  way  as  to 
satisfy  all  the  conditions  (5.1)  -  (5.5).  We  will  show  how  to  build  a  finite  model  of  Q^  which 
is  independent  of  the  particular  choice  of  ii  Csubject  only  to  the  restrictions  Rq-R^). 

Let  /  be  a  finite  set  of  odd  rank  and  put 

/™  =  {Um-,}}form>l 
Notice  that  all  these  sets  /^  have  odd  ranks  r„  and  ri<r2<  •  •  •     Moreover  /i</2<  "  "  " 
in  any  well  ordering  of  all  sets  satisfying  restriction  R^. 

Next  put 

<rj={lj}  for  every  j=l,2...,n  (5.8) 

Defining  Afy,  before  Myj  whenever  >',<y,  put: 


".'.i.i  S..- 


{{c?.'- 


(V.c:  r 
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Extend  the  definition  of  M  to  every  variable  y  of  Q^  by  putting  My  =  My.  Since  by 
hypothesis  conditions  (4.1),  (4.2),  and  (4.3)  oi  rheorem  4.1  are  satisfied  then  we  can  try  to 
apply  Theorem  4.2.  Since  conditions  (4.5)  and  (4.7)  are  trivially  satisfied  by  (5.8)  then  it 
remains  only  to  verify  that  (4.6)  also  holds.    To  this  end  we  make  use  of  the  following 

LEMMA  5.4 

rank  (My,)=  max  {ran*((T^):a^(y,)  =  {<t>}} 
Proof.    We  proceed  by  induction.    If  y,  is  minimum  in  Y/~^  with  respect  to  the  ordering 

defined  in  the  statement  of  Theorem  5.2,  then  by  (5.3)  and  (5.9) 

and  the  lemma  is  trivial. 

Next  assume  that  the  lemma  holds  for  every  y   less  than  y,.    Let 

p=  rank  (  IJ  <^;)  =  ™^  {'■««*  ^ y'^j(ji)  =  {^)  ) 

ap;)=(<i>} 

and  let 


q=  rank{Myi^:af^^^(j,)  =  {<i>}}=  max  {  rank  (A/yi):af(;fc)Cy,)  =  {<J)}}+ 1 
We    want    to    show    that    p^q.     Indeed    by    the    induction    hypothesis    and    by    (5.3)    if 

«f(*)0'.)  =  {<t>}.   then  rank  (A/yJ=  max  {  rant  (a^):a^.(yj  =  {<}>}}.   But    by   (5.4)   if  a^(yt)  =  {(f)} 

then  j<F(k)  and  hence  rank  ((Ty)<  rank  (o-f(i)).    It  follows  that  rank  (MyJ<  rank  (o-f^^^)  for 

every  k  such  that  a f^^^{y ^)  =  {^} .    Therefore 

9-l<max{  rank  ((Tf(t)):af(^)(y,)  =  {4>}}^p. 
This  yields  q^p  completing  the  proof  of  the  lemma. 

By  this  lemma  it  follows  that  each  A/y,  has  an  even  rank  whereas  each  /  has  an  odd 
rank.  This  implies  My^idj  ,  proving  (4.6).  Then  we  can  apply  Theorem  4.2  having  that 
(5.9)  defines  a  model  M  of  all  MLS  statements  in  Q^.  In  order  to  verify  that  M  is  indeed  a 
model  of  Q^  no  matter  how  ti  is  chosen  we  proceed  as  follows.    Assume  thaty  =  TiA:  appears 
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in  Q^  and  let  yj.  =  y  and  yj  =  x.  Thus  yj,  =  rtyj  appears  in  Q^.  By  (5.5)  if  a^(yj)  =  ^  for  all  k 
then  yj.  —  ^yj,  Myj,  =  Myj  =  ^  =  Mx  =  My  and  My  =  f\Mx.  Otherwise  afr^j,^(yj)={<i>}  which  yields 
Myj,(:Myj.  We  will  show  that  Myj,  is  indeed  the  least  element  of  Myj  in  any  well  ordering  of 
all  sets  satisfying  R^,^^,  and  R^. 

To   this   end   we   show   the   following   lemma   in   which    <    is   the   ordering   of   J'/~r 
mentioned  in  Theorem  5.2. 

LEMMA  5.5.  If  y^<yi^'then  Myf^<'My^  in  any  well  ordering  <'  of  all  sets  satisfying 
R^,R^  and  R^. 

To  prove  this  lemma  we  need  to  show  that  the  following  is  also  true. 
LEMMA  5.6. 

^yh<'h(h) 

in  any  well  ordering  <*  of  all  sets  satisfying  R^,R^,  and  R^ 

Proof:  Again  we  proceed  by  induction.  If  y^,  is  the  least  element  of  l'/~r  with  respect  to  the 
ordering  <    defined  in  the  statement  of  Theorem  5.2  then  Myf,=      \^        a,  by  (5.3)  and 

(5.9).  But  by  (5.4)  if  a,(n)  =  {<|>}  then  t<F{h)  so  that  I,^'lF(h)-i<'  UfcA)-i}  in  any  well 
ordering  <*  of  sets  satisfying  /?3,i?4,  and  R^.  By  R^  we  get 

A/yft  =  {/,:ct,(>',)  =  {4.}}<*{{/f(,)-,}}  =  V) 
proving  our  lemma  when  y^  is  the  least  element  of  Y/~^. 

Next  assume  that  the  lemma  holds  for  every  yj^  with  y).<yh-  By  (5.8)  and  (5.9)  we  have  that 
My,  =  {I,:aXy,)  =  W]\J  {A/>,:af(„(y,)  =  {<(.}}.  Now  if  «,(>,)  =  {<{>}  then  by  (5.4)  r<f  (A)  and 
/,s'/^(^)_,<*  {/f(;,)_i}.  Moreover  if  a f^k)(y h) "^ i^}  ^^^°  ^Y  ^^^  induction  hypothesis 
Myk<'lnk)  and  by  (5.4)  Fik)<F{h).  Thus  A/>'*<*/^(„s*/f(,)_,  <'{I^^^^_,}.  We  can  then 
conclude  that  every  element  of  My/,  is  less  than  {//r( ;,)_,}  in  any  well  ordering  <*  of  all  sets 
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satisfying  R^-R^.    This  implies  that  Afy^<*{{/;r(^)_i}}  =  /f(;,)  completing  the  proof  of  Lemma 
5.6. 

Now  we  are  ready  to  prove  Lemma  5.5.  Indeed  if  yi,<yk  then  A^<A^  in  the  anti- 
lexicographic  ordering  of  all  sets  of  integers.  Let  A;,  =  {jpi2>-''i}  ^^^  ^*~0i  J2'-'./m}  with 
j,</2<  •  •  •  <i,  and  Ji<J2<  "  "  "  <Jm-  Since  Af,<Ai^  then  there  exists  J;€{ji,...  j„}  such  that 
Of+i,---Jm}£{'i.--.'r}  and  {/,,.. .,i,}\{/i,  ■  •  •  J  J  <{j(}-   Thus 

u    -.<•% 

a/y*)  =  {■*>}<» 

On    the    other    hand    if    af^^-^{y),)  =  {^}&    a.f^^-^{yf.)  =  <^    then    F(q)<j(    and    by    Lemma   5.6 
Afy  <*/f(  )<'/   .  Therefore  we  have  that 

U       '^rU{A/y,:af(,)W  =  {4.}<ftaf(,)0-,)  =  <j,}<V, 

a,(>»)  =  {4>}<i 

Using  /?g  and  if4  we  get 

MyH=       U      «^rU{^3',:af«,)W  =  {<l>}}<V    U 

",(>,)  =  {*} 

(       U       '^rU{A/y,:af(,)(yJ  =  af(,)(y,)=={<J,}})s-A/y, 
which  completes  the  proof  of  Lemma  5.5. 

Next  we  show  that  Myj,  is  the  least  element  of  Myj  in  every  well  ordering  <*  of  all  s^ts 
satisfying  R^-R^.    Indeed  we  know  that  by  (5.9) 


Now  by  (5.5.b)  if 


then 


This  implies  that  if 


Myj=      U      ^,U{A/y,:af(,)(y,.)  =  {4.}} 


«,(>,)  =  {4>} 


(Va^€r)(a,(y,..)  =  {<t>}-^<0 
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a^O';.)  =  {<!>}  then  /^s '/,_,< '{/,_,} 
for    every    t   such    that   a,(>,)  =  {4)}.     Consequently    if   a^(^)(y^. )  =  {<!>}    ^h^n    by    lemma   5.6 

A/y^<'/f(^) <'{/,_  J  for  every  t  such  that  a,(y^)={<})}.    Therefore  every  element  of  My^,  is  less 

than  {/,_]}  for  every  t  such  that  0,(3'^)  =  {<]>}.   It  follows  by  R^  that 

for  every  t  such  that  a,(yy)  =  {(j)}.  To  complete  our  proof  it  remains  to  show  that  My^,  is  less 
than  or  equal  to  every  element  A/y^,  with  ap^^^~^{yj)  =  {^},  in  every  well  ordering  <*  satisfying 
R-^-Ry  Indeed  if  af(t)Cyj)  =  {4>}  then  by  (5. 5. a)  either  y^.~r)';t  and  Myj,  =  My^  or  yj,<yi^  and 
by  lemma  5.5  Myj,<'Myi^.  We  can  then  conclude  that  A/y,.  is  the  least  element  of  Afy  in  any 
well  ordering  <'  of  all  sets  satisfying  R^,R^,  and  R^.  Therefore  Myj,  =  j)Myj  and 
My  =  My  =  \fyj,  =  t)Myj=^i)Mx=-r]\fx.  We  have  thus  shown  that  M  is  indeed  a  model  of  Q 
independent  of  the  particular  choice  of  ti  completing  the  proof  of  our  main  theorem. 

6.    A  Validity  Test  for  a  Weaker  Theory 

In  this  section  we  consider  the  theory  which  results  by  dropping  the  symbols  P) ,  U  ,\ 
from  the  language  considered  in  the  preceding  section.  Moreover  we  assume  that  only 
restrictions  Rq-R^  must  hold  and  that  variables  can  range  over  arbitrary  sets  (not  necessarily 
finite) . 

First  we  consider  the  case  in  which  the  ti  operator  does  not  appear.  So  let  Q  be  a 
conjunction  of  literals  of  type 

(=,?t)  X  =  y,  x¥=y 

(€,«)  xdy,  x(y 
where  x,y  are  either  variables  or  the  constant  <|). 

We  describe  a  satisfiability  algorithm  for  Q  originally  given  in  [2].  Let  ~  be  the  smallest 
equivalence  relation  on  the  set  of  all  the  variables  of  Q  such  that  x  =  y  in  Q  implies  x~y. 
Choose  a  representative  x  in  each  equivalence  class  {y:y~x},  replace  every  variable  by  its 

13 


■[<  -.eA»  A^i, 


r/ir'-  br,h-.:ii  -jts 


'.iO    .    IX 


.o  = 


')  ■'  aloii'i;'^ 


ir".'<o\ivi  sitt  •^'> 


representative  in  Q  and  let  Q  be  the  resulting  formula.    The  following  is  part  of  [2]. 
THEOREM  6.1.    Q  has  a  model  if  and  only  if  in  Q  the  following  conditions  are  satisfied. 

(6.1)  There  is  no  explicit  contradiction  of  the  form  xi=  x  or  x^y  &  xiy. 

(6.2)  There  is  an  ordering  )'i,)'2.--.>'m  "/  '''*  variables  of  Q  such  that  y[~<t>,  and  such  that 
y^^yj  in  Q  implies  i<j. 

A 

Let  x^y  denote  the  fact  that  a:€>  is  in  g.  If  (6.1)  and  (6.2)  are  satisfied  then  models  of 
Q  can  be  built  as  follows.  Choose  sets  tr  J  =  l,  .  .  .  ,m,  such  that  ct,  =  <j>.  Next  going  upward 
in  the  ordering  of  variables,  put 

My,=^.\j{Myj-yj^y,}  (^-^^ 

and  complete  the  definition  of  M  by  putting  Mx  =  Mx  for  every  other  variable  x  of  Q.    Then 
the  following  is  true  (see  [2]). 

THEOREM  6.2  Formula  (6.3)  defines  a  model  M  of  Q  whenever  the  following  conditions 
hold 

My^taj  for   every  i,j=l,...,m  (6.4) 

My^i=Myj  unless  i  =  j  (6.5) 

Next  let  2^  be  a  conjunction  of  literals  of  type 

i=,i=)x  =  y,x¥=y 

i^,i)x^y,xty 

(Ti)yj.  =  -nyj 

Where  x,y,yj,yj,  are  either  variables  or  the  constant  <j).    We  want  to  show  that  the  following 
holds. 
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THEOREM  6.3.  Either  Q^  is  unsatisfiable  or  there  is  an  effectively  constructible 
assignment  of  sets  to  variables  which  makes  Q^  true  independently  of  the  particular  choice  of  i] 
subject  only  to  satisfy  restrictions  Rq  —  R-^ 

In  order  to  prove  this  theorem  we  make  use  of  the  following  set  theoretic  lemma. 

LEMMA  6.4  For  all  sets  Sq,s^,  ■  ■  ■  ,s^  +  -^  if 

^o  =  'S'„+i  and  ■r\Sj(iSj^^J  =  0,...,n,  then  t]Sq=^Si=   ■  ■  •  =t)j„ 
Proof.    Indeed  since  tij  €.S:^,  then  T\Sj^^^y)Sj  by  /Jj-    This  implies  the  lemma  since  Sq=s„  +  i. 

To  show  that  Theorem  6.3  holds,  we  first  add  to  g^  the  following  sentences. 

<J>€>'j^>'^.  =  <t>  (6.6) 

y;.6yV(y.=  ct><fey^..  =  <t>)  (6.7) 

n  n  +  1 

where  <yj,yj>>  and  <>   .y  ,  >  range  over  all  pairs  of  variables  appearing  in  literals  of  type 

(t)). 

For  our  purpose  is  then  sufficient  to  show  that,  for  each  disjunct  q  in  the  disjunctive 
normal  form  of  2ti>  either  <?•,,  is  unsatisfiable  or  it  has  a  model  independent  of  t).  To  do  this, 
let  q^  be  one  of  these  disjuncts  and  let  q  be  the  result  of  dropping  literals  of  type  (ti)  in  q^. 
We  can  assume  that  no  pair  of  equivalent  non-identical  variable  exist  ia  q.  To  finish  the 
proof  of  Theorem  6.3  it  is  sufficient  to  demonstrate  the  following 

LEMMA  6.5.    ^^  has  a  model  if  and  only  if  there  is  an  ordering  Z],Z2,  •  •  ■  ,z„  of  the  variables 
of  q    such  that 

z,  is    {equivalent    )  <{>;  (6-9) 

A 

z„ez^-M<v;  (6-10) 

(z,~y^.<&z,~y^.<Sz^€zJ-v<w  (6.11) 

for  all  variables  z^,z^,z^  and  all  yj,yj»  appearing  in  literals  of  type  (ti).  Moreover  in  the  positive 
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case  a  model  of  q-  independent  of  the  particular  choice  of  r\  can  be  effectively  constructed. 

Proof.    First  assume  that  q.^  has  a  model  M.    For  every  pair  x,y  of  variables  of  q^  define 
x<*>'  to  mean  that  either 

Mx<My  in    the    well    ordering    of   all    sets    associated    with  ti  (6-12) 


or 


Mx  =  My ,x,y  are  distinct  and  for  some  y  ,x~)'-,  and  )'€>',  (6.13) 

Let  us  first  prove  that  there  are  no  cycles  of  <  "^ .  That  is  there  are  no  distinct  variables 
x„,x^_^,...,Xq  of  q^  such  that  x„<^x„_,<"'"  •  •  •  <"^*o  where  n>0  and  Xq  is  the  same  as  x„. 
Indeed  by  (6.12)  and  (6.13)  this  could  only  happen    if  for  k  =  n,n-\,  •  •  ■  ,lA/Xjt  =  Af.Tj^_,  and 

A 

for  some  y  ,X(t~)',   andx^_j€y,.    Therefore  we  would  have 

A  A  A 

and  since  Xq  is  x^  then  y  ,  ~Xq.    It  readily  follows  from  (6.8)  that  all  the  x-  must  be  the  same, 

contradicting  x„<"^x„_,.  Therefore  the  transitive  closure  of  < "''  can  be  extended  to  a  linear 
ordering  z^yZj,  •  •  •  ,z„  of  the  variables  of  ^^.    Moreover  if  Mxi=<i>  then  <t><Afx  in  any  well 

A 

ordering  of  sets  satisfying  R^.  On  the  other  hand  if  Mx  =  <^  and  for  some  y:,x~y:,  and  ({)€y 
then  by  (6.6)  x  is  <}>.    This  shows  that  Zj  must  be  (equivalent  to)  <{)  ,  completing  the  proof  of 

A 

(6.9).     As   for    (6.10)    if   z„€z^,    then   A/z„€Mz^,Afz„<Afz^   and    by    (6.12)    m<v.     Finally   if 

A 

z^-~yj,z^~yj,  and  z^^z^  then  Mz^=-i]Mz^  and  Mz^^Mz^.  It  follows  that  Mz^^Mz^.  Now,  if 
Zy  and  z^  are  not  distinct  then  v  =  h'.  On  the  other  hand  if  z^,z^  are  distinct  and  Mz^<Mz^ 
then  by  (6.12)  v<m'.  Finally  if  z^,z^  are  distinct  and  Mz^  =  Mz^  then  by  (6.13)  again  v<m. 
This  concludes  the  verification  of  (6.11)  completing  the  proof  of  Lemma  6.5  in  one  direction. 

Conversely,    assume   that   there   exists   an   ordering   Z]^,Z2,  •  •  •  ,z„    of   the   variables   of  q.^ 
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satisfying  conditions  (6.9)  -  (6.11).  Then  a  model  of  q^  independent  of  -i)  can  be  constructed 
as  follows.    Put  Mzj  =  CTj  =  <J)  and  going  upward  in  the  ordering  of  indices  /  =  2,3,  ■  ■  ■  ,m    put 

<T,=  {{Wz,-,}}  (6.14) 

A 

By  an  easy  induction  on  i  it  can  be  proven  that 

rank  (Mz,)  =  2(i- 1)  for  each  i=l,2,...,m.  (6.16) 

This  implies  immediately  that  conditions  (6.4)  and  (6.5)  are  satisfied.  Therefore  Af  is  a 
model  of  q.    To  show  that  M  is  indeed  a  model  of  q    let  z^=y\z^  be  in  q  .  Then  for  some  j, 

A 

z^~yj.  and  z^~yj.  By  (6.7)  either  z^,  =  Zy  =  <j>  and  Mz^  =  ^  =  y\^  =  'r\Mz^,  or  z^^z^,  and  by  (6.15) 
Mz^(.Mz^.  In  this  last  case  we  want  to  show  that  Mz^  is  the  least  element  of  Mz^  in  any  well 
ordering    "<"    of    sets    satisfying    Rq-R^.     Indeed    by    (6.10)    and    (6.14)    it   follows    that 

A 

Afz^,€  •  •  •  €{A/Zy_j}  which  by  R^  yields  Mz^<{Mz^_^}.  Moreover  if  Mz^dMz^  with  z^dz^  and 
z^  distinct  from  z^  then  by  (6.11)  u<w .  This  by  (6.14)  and  (6.15)  gives 
AfZj,€  •  •  •  €{A/z^_i}€Afz^  which  implies  Mz^<Mz^.  We  can  then  conclude  that  Mz^  is  the 
least  element  of  Mz^  and  that  M  is  indeed  a  model  of  q  .  Therefore  Lemma  6.5  is  proved 
implying  that  Theorem  6.3  also  holds. 

7.    Optimizations  of  the  Weaker  Validity  Test 

To  improve  the  efficiency  of  the  decision  algorithm  we  have  described,  in  forming  Q  we 
avoid  to  include  in  it  the  formulas  (6.6)  -  (6.8).  As  before  q  denotes  a  disjunct  of  the 
disjunctive  normal  form  of  Q^.  However,  we  modify  q^  as  follows.  We  non-deterministically 
"guess"  for  which  literals  yjt  =  'i]yj  yj  will  be  nonempty  in  the  model  we  are  after.  For  each 
of  these  we  add  yj'^yj  to  q^  ;  for  the  remaining  literals  y^.  =  ti>'^  we  add  y^=({)  and  y^.  =  <}>  to 
q^.  Define  the  relation  ~  on  the  variables  of  q    as  the  smallest  equivalence  relation  such  that 
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x—y  whenever  x  =  y  is  in  q^  (7.1) 

<t)~x  whenever  zi.w  is  in  q^  with  Z'~(i>,x~yj,,w~yj.  (7.2) 


For  every  "cycle" 


Zoex,,z,€jr2,...,z„_,€jr„,z„€xo  in  q^  with  n>0 

and  Xi^—yj,  ,z^~yj  for  jfe  =  0,l,..,n,  one  must  have  Zq~z,~  •  •  •  ~z^  (7.3) 

The  remaining  steps  of  the  validity  test  are  the  same  as  in  the  preceding  algorithm.    More 

precisely  the  existence  of  an  ordering  z-^,Z2^  '  '  '  '^m  °^  ^^  variables  of  q^  satisfying  (6.9)  - 

(6.11)  is  tested.    Finally  Lemma  6.5  can  be  proved  in  analogy  with  the  preceding  proof. 
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